KDE kscd SHELL 环境变量漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105835 漏洞类型 其他
发布时间 2000-05-16 更新时间 2005-05-02
CVE编号 CVE-2000-0393 CNNVD-ID CNNVD-200005-059
漏洞平台 Linux CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/19915
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200005-059
|漏洞详情
TheKDEkscd程序在执行指定用户SHELL环境变量的程序时没有降低权限,存在漏洞,用户可以通过执行指定交替程序获取特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/1206/info

Some linux distributions (S.u.S.E. 6.4 reported) ship with kscd (a CD player for the KDE Desktop) sgid disk. kscd uses the contents of the 'SHELL' environment variable to execute a browser. This makes it possible to obtain a sgid 'disk' shell. Using these privileges along with code provided in the exploit, it is possible to change attributes on raw disks. This in turns allows an attacker to create a root shell, thus compromising the intergrity of the machine. 

Red Hat, Linux Mandrake, and Turbo Linux do not currently ship with kscd setgid 'disk'.

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/19915.tgz
|参考资料

来源:BID
名称:1206
链接:http://www.securityfocus.com/bid/1206
来源:SUSE
名称:20000529kmulti<=1.1.2
链接:http://www.novell.com/linux/security/advisories/suse_security_announce_50.html
来源:BUGTRAQ
名称:20000516kscdvulnerability
链接:http://archives.neohapsis.com/archives/bugtraq/2000-05/0172.html